From 8ee217518d793149d53126c81e330689c7e6098a Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Fri, 26 Jun 2026 11:48:39 +0300 Subject: [PATCH 1/2] Bump js-yaml to 4.2.0 (CVE-2026-53550, GHSA-h67p-54hq-rp68) js-yaml <= 4.1.1 is vulnerable to a quadratic-complexity DoS in merge key handling; the fix is only in 4.2.0. - openam-ui-ria: raise the direct devDependency from ^3.14.2 to ^4.2.0; the existing $js-yaml overrides pull mocha/eslint/grunt to 4.2.0 too. - openam-ui-api: add an overrides entry forcing the transitive js-yaml (via grunt) to ^4.2.0. Both are dev-only tools that parse YAML config only; this project has no YAML config (eslint uses .eslintrc.js, no .mocharc.yml, Gruntfiles never call readYAML), so the v4 removal of safeLoad/safeDump is not reached. Verified js-yaml resolves to a single 4.2.0 and both Gruntfiles load. Resolves Dependabot alerts 262 and 257. --- openam-ui/openam-ui-api/package-lock.json | 50 ++++++++------------ openam-ui/openam-ui-api/package.json | 1 + openam-ui/openam-ui-ria/package-lock.json | 56 ++++++++--------------- openam-ui/openam-ui-ria/package.json | 8 ++-- 4 files changed, 43 insertions(+), 72 deletions(-) diff --git a/openam-ui/openam-ui-api/package-lock.json b/openam-ui/openam-ui-api/package-lock.json index c9be1a7a75..5e2a5472c3 100644 --- a/openam-ui/openam-ui-api/package-lock.json +++ b/openam-ui/openam-ui-api/package-lock.json @@ -48,13 +48,11 @@ } }, "node_modules/argparse": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", "dev": true, - "dependencies": { - "sprintf-js": "~1.0.2" - } + "license": "Python-2.0" }, "node_modules/array-each": { "version": "1.0.1", @@ -185,19 +183,6 @@ "node": ">=0.8.0" } }, - "node_modules/esprima": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", - "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", - "dev": true, - "bin": { - "esparse": "bin/esparse.js", - "esvalidate": "bin/esvalidate.js" - }, - "engines": { - "node": ">=4" - } - }, "node_modules/eventemitter2": { "version": "0.4.14", "resolved": "https://registry.npmjs.org/eventemitter2/-/eventemitter2-0.4.14.tgz", @@ -777,14 +762,23 @@ } }, "node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", - "dev": true, + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" + "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" @@ -1100,12 +1094,6 @@ "integrity": "sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==", "dev": true }, - "node_modules/sprintf-js": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", - "dev": true - }, "node_modules/strip-ansi": { "version": "3.0.1", "resolved": "https://registry.npmjs.org/strip-ansi/-/strip-ansi-3.0.1.tgz", diff --git a/openam-ui/openam-ui-api/package.json b/openam-ui/openam-ui-api/package.json index 50e5e0afd4..c856ad45af 100644 --- a/openam-ui/openam-ui-api/package.json +++ b/openam-ui/openam-ui-api/package.json @@ -16,6 +16,7 @@ "swagger-ui-dist": ">=5.29.0" }, "overrides": { + "js-yaml": "^4.2.0", "grunt": { "lodash": "$lodash" } diff --git a/openam-ui/openam-ui-ria/package-lock.json b/openam-ui/openam-ui-ria/package-lock.json index f647d7d916..a710568e51 100644 --- a/openam-ui/openam-ui-ria/package-lock.json +++ b/openam-ui/openam-ui-ria/package-lock.json @@ -28,7 +28,7 @@ "grunt-newer": "1.3.0", "grunt-sync": "0.8.2", "grunt-text-replace": "0.4.0", - "js-yaml": "^3.14.2", + "js-yaml": "^4.2.0", "jsdoc": "^4.0.3", "karma": "6.4.3", "karma-babel-preprocessor": "8.0.2", @@ -1835,13 +1835,11 @@ } }, "node_modules/argparse": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", + "version": "2.0.1", + "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", + "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", "dev": true, - "dependencies": { - "sprintf-js": "~1.0.2" - } + "license": "Python-2.0" }, "node_modules/array-buffer-byte-length": { "version": "1.0.2", @@ -3464,19 +3462,6 @@ "node": ">=0.10.0" } }, - "node_modules/esprima": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", - "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", - "dev": true, - "bin": { - "esparse": "bin/esparse.js", - "esvalidate": "bin/esvalidate.js" - }, - "engines": { - "node": ">=4" - } - }, "node_modules/esrecurse": { "version": "4.3.0", "resolved": "https://registry.npmjs.org/esrecurse/-/esrecurse-4.3.0.tgz", @@ -5440,14 +5425,23 @@ "dev": true }, "node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" + "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" @@ -6065,12 +6059,6 @@ "markdown-it": "*" } }, - "node_modules/markdown-it/node_modules/argparse": { - "version": "2.0.1", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz", - "integrity": "sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==", - "dev": true - }, "node_modules/marked": { "version": "4.3.0", "resolved": "https://registry.npmjs.org/marked/-/marked-4.3.0.tgz", @@ -7792,12 +7780,6 @@ "node": ">=0.10.0" } }, - "node_modules/sprintf-js": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", - "dev": true - }, "node_modules/statuses": { "version": "1.5.0", "resolved": "https://registry.npmjs.org/statuses/-/statuses-1.5.0.tgz", diff --git a/openam-ui/openam-ui-ria/package.json b/openam-ui/openam-ui-ria/package.json index d452ddbc4a..4ed95f5042 100644 --- a/openam-ui/openam-ui-ria/package.json +++ b/openam-ui/openam-ui-ria/package.json @@ -18,6 +18,7 @@ "@babel/core": "^7.29.6", "@babel/preset-env": "^7.28.3", "@babel/preset-react": "7.27.1", + "ajv": "^8.16.0", "chai": "3.5.0", "cross-env": "3.1.3", "eslint-config-forgerock": "file:../node_packages/eslint-config-forgerock-2.0.1.tgz", @@ -34,6 +35,7 @@ "grunt-newer": "1.3.0", "grunt-sync": "0.8.2", "grunt-text-replace": "0.4.0", + "js-yaml": "^4.2.0", "jsdoc": "^4.0.3", "karma": "6.4.3", "karma-babel-preprocessor": "8.0.2", @@ -42,14 +44,12 @@ "karma-requirejs": "1.1.0", "less-plugin-clean-css": "1.5.1", "lodash": "4.18.1", + "minimatch": "^3.1.5", "mocha": "7.2.0", "requirejs": "2.3.7", "rimraf": "2.5.4", "sinon": "1.17.6", - "sinon-chai": "2.8.0", - "ajv": "^8.16.0", - "js-yaml": "^3.14.2", - "minimatch": "^3.1.5" + "sinon-chai": "2.8.0" }, "overrides": { "minimatch": "^3.1.5", From 5e1d52980052cf51bb5cf07e823b08ffd7f392fa Mon Sep 17 00:00:00 2001 From: Valera V Harseko Date: Fri, 26 Jun 2026 18:17:47 +0300 Subject: [PATCH 2/2] Fix openam-ui-ria build broken by js-yaml 4 upgrade Bumping js-yaml to 4.2.0 (CVE-2026-49982 / CVE-2026-53550) and forcing it across the dependency tree via overrides breaks the eslint task: grunt-eslint 19.0.0 pulls eslint 3.8.1, whose config loader reads the extensionless src/test/.eslintrc through its legacy YAML loader, which calls the yaml.safeLoad() API removed in js-yaml 4. The npm build:production task then fails with "Function yaml.safeLoad is removed in js-yaml 4". Rename src/test/.eslintrc to src/test/.eslintrc.json (the content is already valid JSON) so eslint parses it via JSON.parse instead of the YAML loader. This keeps the full js-yaml 4.2.0 remediation in place while restoring the build. --- openam-ui/openam-ui-ria/src/test/{.eslintrc => .eslintrc.json} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename openam-ui/openam-ui-ria/src/test/{.eslintrc => .eslintrc.json} (100%) diff --git a/openam-ui/openam-ui-ria/src/test/.eslintrc b/openam-ui/openam-ui-ria/src/test/.eslintrc.json similarity index 100% rename from openam-ui/openam-ui-ria/src/test/.eslintrc rename to openam-ui/openam-ui-ria/src/test/.eslintrc.json